Professional Documents
Culture Documents
Introduction
Both Microsoft Internet Security and Acceleration (ISA) Server 2004 and Allied Telesis routers enable you to define Virtual Private Networks (VPNs) for secure remote access to private LANs. This How To note describes how to configure a VPN in which an Allied Telesis router is the private office access gateway connected to a Microsoft ISA Server as the access concentrator.
Then it describes the configuration in the following sections. You must do all of these steps: "Configure the router" on page 3 "Configure the ISA Serverremote network" on page 6 "Configure the ISA Serveraccess rules" on page 14 "Configure the ISA Servernetwork rules" on page 19
Then it describes how to test the configuration in the final section: "Test the tunnel" on page 23
This How To Note assumes you have already installed Microsoft ISA Server 2004 and are familiar with its basic functionality.
C613-16084-00 REV B
www.alliedtelesis.com
AR415S, AR440S, AR441S and AR442S routers AR750S, AR750S-DP and AR770S routers Rapier 16fi and Rapier 24i switches AT-8824 and AT-8848 switches older routers such as AR720, AR740, AR745, AR725, AR300 series, AR450S, and AR410 series older switches such as earlier Rapier series switches
The network
The network configuration for this example is shown in the following figure.
192.168.32.0 172.28.16.0 192.168.32.1 202.41.17.14 69.114.9.44 172.28.16.1
Page 2 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
For routers and switches without an IP address, use the following commands:
enable ip add ip interface=vlan1 ipaddress=172.28.16.1 mask=255.255.255.0
Whenever you configure a VPN through the Internet, we recommend you use a key value that cannot be easily guessed. All printable characters are valid.
Page 3 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
6. Configure IPsec
This step defines a set of IPsec policies to:
allow the router to forward ISAKMP negotiation traffic without encryptionthe isakmp policy tunnel traffic between the remote LAN and the local LANthe tunnel policy allow the router to forward web-browsing traffic without encryptionthe internet policy
The firewall uses NAT to translate private-side client IP addresses to a single global public IP address.
Page 4 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
allow ISAKMP packets to pass through the firewall pass VPN traffic through the firewall without applying NAT to it.
Page 5 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Enter a name such as Remote_network and click the Next button to move to the Network Type dialog.
Page 6 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Next button to move to the VPN Protocol dialog.
Then click the Next button to move to the Connection Owner dialog.
Page 7 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Next button to move to the Connection Settings dialog.
Then click the Next button to move to the IPsec Authentication dialog.
Page 8 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Next button to move to the Network Addresses dialog.
Page 9 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
The IP Address Range Properties dialog opens. Enter the address range of the routers private network:
Then click the OK button to return to the Network Addresses dialog. If necessary, repeat this step to define other address ranges for the remote ends private network. When you have added all the required ranges, click the Next button to move to the Completing the New Network Wizard dialog.
Page 10 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the IPsec Settings button to open the IPsec Configuration dialog.
Page 11 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Page 12 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Select the Generate a new key every: checkbox and enter 3600 seconds. Select the Use Perfect Forward Secrecy (PFS) checkbox and select: Diffie-Hellman group: Group 2 (1024 bit)
Page 13 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Enter a name such as VPN access and click the Next button to move to the Rule Action dialog.
Then click the Next button to move to the Access Rule Sources dialog.
4. Specify the source network for traffic to which the rule applies
On the Access Rule Sources dialog, click the Add button to open the Add Network Entities dialog. On the Add Network Entities dialog, select Remote_network. Click the Add button.
Page 15 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Close button to return to the Access Rule Sources dialog. Check that the dialog now lists Remote_network.
Then click the Next button to move to the Access Rule Destinations dialog.
5. Specify the destination network for traffic to which the rule applies
On the Access Rule Destinations dialog, click the Add button to open the Add Network Entities dialog. On the Add Network Entities dialog, select Internal. Click the Add button.
Then click the Close button to return to the Access Rule Destinations dialog.
Page 16 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Next button to move to the User Sets dialog.
Click the Next button to move to the Completing the New Access Rule Wizard dialog.
Page 17 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Like the first rule, this rule applies to outbound traffic because it applies to traffic that is outbound from the source. For this rule, the source is the internal network. Note that the Microsoft ISA Server processes rules in the order in which they appear on the Firewall Policy list. Once it finds a match, the ISA Server does not look at any rules that are further down the list.
Page 18 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Enter a name such as VPN route and click the Next button to move to the Network Traffic Sources dialog.
Page 19 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Close button to return to the Network Traffic Sources dialog. Check that the dialog now lists Remote_network.
Then click the Next button to move to the Network Traffic Destinations dialog.
Page 20 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Close button to return to the Network Traffic Destinations dialog. Check that the dialog now lists Internal.
Then click the Next button to move to the Network Relationship dialog.
Page 21 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
Then click the Next button to move to the Completing the New Network Rule Wizard dialog.
Page 22 | AlliedWare OS How To Note: VPNs with Microsoft ISA Server 2004
If the SAs have been established, this proves that the VPN tunnel has come up and that the two private networks can communicate.
USA Headquarters | 19800 North Creek Parkway | Suite 200 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 European Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
www.alliedtelesis.com
2007 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.
C613-16084-00 REV B